ai-rag-pipeline
Pass
Audited by Gen Agent Trust Hub on Mar 17, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to Indirect Prompt Injection through its RAG pipeline templates.
- Ingestion points: External data from Tavily and Exa searches is stored in variables (e.g.,
SEARCH_RESULT,CONTENT,EVIDENCE) and then passed into model prompts withinSKILL.mdexamples. - Boundary markers: The prompt templates use simple text headers (e.g., 'Search Results:', 'Source 1 (Tavily):') which can be easily bypassed if the retrieved web content contains instructions designed to override the agent's behavior.
- Capability inventory: The skill possesses the capability to execute any platform command via
infshas specified in theallowed-toolsfield. - Sanitization: There is no evidence of sanitization, escaping, or filtering of the external content before it is interpolated into the prompts.
- [COMMAND_EXECUTION]: The provided bash examples use unsafe shell variable interpolation.
- The examples construct JSON payloads for the
infshCLI using double-quoted strings (e.g.,"{\"prompt\": \"... $SEARCH\"}"). If the retrieved search content contains double quotes, backslashes, or backticks, it will cause the JSON to be malformed or potentially lead to unexpected shell behavior during command execution. - [EXTERNAL_DOWNLOADS]: The skill correctly references its own ecosystem tools.
- It suggests installing the
inference-sh/skills@agent-toolspackage vianpx, which is consistent with the skill's stated purpose and authored environment.
Audit Metadata